Account security is a foundational skill for A+ technicians. CompTIA A+ 220-1102 tests password policies, multi-factor authentication, account management, least privilege, and credential security. This guide covers every account security concept in the A+ Core 2 objectives.
Practice this topic
Strong password characteristics: length (minimum 12-16 characters — length matters more than complexity), complexity (mix of uppercase, lowercase, numbers, symbols), uniqueness (different password for every account), unpredictability (not based on personal information — names, birthdays, dictionary words). Password policy settings (via Local Security Policy or Group Policy): Minimum password length: 12-14 characters minimum for most environments. Password complexity: requires uppercase, lowercase, number, and symbol. Password history: prevents reusing the last N passwords (e.g., last 24 remembered). Maximum password age: password expires after N days (e.g., 90 days). Minimum password age: prevents users from immediately changing back to old password. Password managers: tools (Bitwarden, 1Password, LastPass) that generate and store unique passwords — strongly recommended. Password manager eliminates the human tendency to reuse passwords across accounts.
MFA requires two or more authentication factors from different categories. Authentication factor categories: Something you know: password, PIN, security question. Something you have: smartphone (authenticator app, SMS code), hardware token (YubiKey), smart card. Something you are: fingerprint, face recognition, iris scan (biometrics). Location (somewhere you are): GPS-based verification. Behavior: typing patterns, mouse movement. Common MFA implementations: SMS one-time passcode (OTP) — convenient but susceptible to SIM swapping. Authenticator app (Google Authenticator, Microsoft Authenticator, Authy) — TOTP (Time-based One-Time Password) — more secure than SMS. Hardware token (YubiKey, RSA SecurID) — most secure, phishing-resistant. Push notification: app displays prompt to approve login. MFA significantly reduces account takeover risk even if the password is stolen. Password + MFA = defense in depth.
Least privilege: users and programs should have only the minimum access required to perform their function. Why: limits damage from compromised accounts, malware running as a user cannot make system changes, insider threats have limited scope. Application to Windows: standard user accounts for daily work (not admin accounts). Create separate admin accounts used only for administrative tasks. UAC enforces this for standard users — admin credentials required for system changes. Linux: use sudo for specific commands rather than logging in as root. Application permissions: apps should not run as SYSTEM or Local Admin unless truly necessary. Service accounts: services should run as dedicated accounts with minimal privileges (not SYSTEM or Administrator). Role-based access control (RBAC): assign permissions based on job role, not individually. Separation of duties: no single person has complete control over a critical process.
Account types in Windows: Administrator (full control), Standard user (limited — needs admin credentials for system changes), Guest (disabled by default in Windows 10/11). Best practices: Disable or rename the built-in Administrator account. Create named admin accounts for each administrator (for accountability). Disable the Guest account (disabled by default). Use strong, unique passwords on all accounts. Set account lockout (Local Security Policy → Account Lockout Policy). Windows local accounts vs Microsoft accounts: local accounts are stored on the machine; Microsoft accounts sync across devices and provide cloud features. Active Directory accounts: domain accounts controlled centrally by IT. Shared accounts: avoid — individual accountability is lost. Service accounts: dedicated accounts for running services — use strong passwords, never used interactively. Account audit: regularly review user accounts and remove those no longer needed (offboarding).
Smart card: contains an embedded cryptographic chip. Used for logical access (Windows login), physical access (building entry). PIN required to activate — something you know + something you have = 2FA. Smart card reader: built-in (laptops) or external USB device. Windows Smart Card logon: requires Smart Card and PIN. Common in government, military, and high-security enterprise environments. CAC (Common Access Card): U.S. military smart card for physical and logical access. PIV (Personal Identity Verification): federal civilian standard smart card. Hardware security key (FIDO2): YubiKey, Google Titan Key — plugs into USB, taps to authenticate. Phishing-resistant: bound to the specific website's domain, cannot be redirected. Certificate-based authentication: X.509 certificates stored on smart cards or in software — used for SSL/TLS client auth, email signing/encryption (S/MIME).
These questions are representative of what you will see on A+ exams. The correct answer and explanation are shown immediately below each question.
Which authentication method requires two separate categories of credentials?
Explanation: A password (something you know) and a fingerprint scan (something you are) come from two different authentication factor categories — this is true multi-factor authentication. A PIN + password are both 'something you know' and do not constitute MFA.
Immediately disable (not just change the password for) the former employee's accounts across all systems: Windows domain account, email, VPN, cloud services, building access. Disable rather than delete initially to preserve audit trail and recover any needed data. Transfer ownership of files and resources. Return all company equipment. This is called the offboarding process and should follow a documented checklist.
Try free Account Security practice questions with explanations, topic links and progress tracking.